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| he novel severe acute respi- 
ratory syndrome coronavi- 
rus 2 and its associated disease, 


COVID-19, have increased the 
amount of time that people spend 


working from home and in social 
isolation. In 2020, the number of 
users worldwide who relied on 
the Internet for work, education, 
and entertainment increased sig- 
nificantly. This growth is causing a 
substantial rise in bandwidth usage, 
with a sudden spike in the num- 
ber of cyberattacks, such as dis- 
tributed denial of service (DDoS). 
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The situation is accelerating IT 
infrastructure providers’ migration 
toward new technological inno- 
vations, such as software-defined 
networking (SDN). Compared 
to traditional architectures, can 
SDN-based networks flexibly solve 
security and management problems 
to cope with the new challenges? 


Critical Services 

Due to the COVID-19 pandemic, 
governments worldwide have been 
providing self-quarantine and 
social distancing guidance to limit 
the spread of infection, leading 
many organizations and employees 
to shift to remote working solu- 
tions. In response, the use of online 
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video meeting applications, such as 
Zoom, Google Meet, and Skype, 
increased considerably.! Accord- 
ing to a 2020 Nokia report,” video 
conferencing traffic is up 700% 
in the United States compared to 
February 2020. Similarly, broad- 
band provider BusinessWire has 
counted a 30% rise in data traffic 
and a 50% jump in voice traffic 
on its network since mid-March.’ 
There has been a reported 45% 
increase in communication traffic 
from applications such as What- 
sApp, Teams, and Skype. Simul- 
taneously, voice calls have doubled 
in number, and overall voice usage 
is 45% higher. The increase in used 
bandwidth forced Internet com- 
panies, such as Amazon, YouTube, 
and Netflix, to reduce the quality 
of their streaming services. The 
goal was to ease the pressure on 
telecommunication networks. As a 
result, several organizations estab- 
lished pandemic-specific policies 
and procedures to maintain their 
essential services and products. 
DDoS attacks have also increased 
significantly during the pandemic. 
According to a Bitglass remote work 
report, 84% of organizations sup- 
port remote work capabilities. Con- 
sequently, 65% of organizations 
allow managed applications to be 
accessed by personal devices. How- 
ever, many organizations find it diffi- 
cult to secure remote networks, and 
41% of companies have not taken 
any steps to expand secure access for 
their remote workforce, according 
to Bitglass.> This article investigates 
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how SDN can handle the complex- 
ity and overhead in legacy network 
architectures. 


What Is SDN? 


SDN simplifies system management 
and configuration to introduce new 
abstractions in networking. SDN 
facilitates the execution of policies 
and the dynamic control 
of networks through a 
centralized controller. 
The key concept behind 
the SDN paradigm is 
the separation of control 
and data functions from 





network devices, such as 
routers and switches. 

The SDN architecture consists 
of three planes: data, control, and 
application, as depicted in Fig- 
ure 1. The data plane contains the 
network equipment and is respon- 
sible for the flow from the source 
to the destination networks. The 
network plane does not rely only 
on physical devices, such as rout- 
ers and switches; it can contain 
software-based devices, including 
virtual switches. 

The control plane acts as the 
brain of the SDN architecture and 
contains one or more controllers. 
The primary function of the control 
plane is to execute network policies. 
The application plane encompasses 
various functions, such as load bal- 
ancers, detection systems, and net- 
work monitors. Applications interact 
with the SDN controller to utilize an 
abstract view of the network for inter- 
nal decision-making processes. 


Why SDN? 

Compared to traditional systems, 
SDN-based networks can flex- 
ibly solve security and manage- 
ment problems. SDN provides 
the concept of programmability 
to enable new network functions. 
Many network and security tasks, 
such as intrusion detection, net- 
work monitoring, and load bal- 
ancing, can be used according to 
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requirements. Moreover, modify- 
ing software applications is much 
easier than manually reconfig- 
uring each network device. These 
benefits enable enterprises to meet 
ever-changing business demands 
without purchasing extra expensive 
network devices. Therefore, SDN 
can simplify the overall network 


The key concept behind the SDN paradigm 
is the separation of control and data 


functions from network devices. 


design and enhance interoperabil- 
ity. In addition, network operators 
always use a management console 
or a command-line interface to 
configure devices in the traditional 
network. These interfaces lead to a 
configuration bottleneck and much 
manual effort. In contrast, SDN’s 
virtualized behavior can simplify 
operators’ overall network man- 
agement through the central- 
ized controller. 

The collection of powerful and 
diverse SDN functions encouraged 
real-world network environments, 









“ “Open Northbound API 


"Open Southbound API 


such as Google and Facebook, to 
apply the technology in their data 
centers. Moreover, SDN can enable 
robust services in wireless network 
environments. Breaking network 
infrastructure into tractable pieces 
helps SDN surmount the limitations 
of the current system architecture, 
facilitating evolution and simplify- 
ing management. 


SDN Security 
Enhancements 
The centralized location 
of the SDN controller 
can provide more flex- 
ible deployments of 
network monitoring 
and ease the implementation of 
intrusion detection systems against 
attacks.’ The SDN controller can 
send request messages to collect 
statistics information from any net- 
work device (i.e., the data plane). We 
can understand the routing informa- 
tion and overall network topology 
by analyzing flow requests from the 
collected devices. Moreover, the 
SDN network's holistic view can 
help us develop security applica- 
tions without exerting much effort.® 
To deploy intrusion detection 
systems against DDoS attacks 


Data-Forwarding 
Elements 
(e.g., OpenFlow 
Switches) 


Figure 1. The SDN architecture. API: application programming interface. 
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in traditional architectures, we need 
to monitor as many network links as 
possible. This is because the source 
of attacks is unknown (e.g., botnets). 
However, the centralized 
controllers global view 
in SDN facilitates DDoS 
detection by instruct- 
ing network devices to 
pass the flow traffic to 
the controller for fur- 


need a specific bandwidth for their 
traffic, thereby requiring special 
handling, i.e., higher priority. The 
quality of service (QoS) has been 


Automated policy-based traffic 
management is more critical than ever to 


address the surge of bandwidth demand. 


modify the entire network’s charac- 
teristics with dynamic, automated 
SDN programs written by operators 
to optimize assets. 

Network operators 
can quickly implement 
automated QoS man- 
agement frameworks 
using packet scheduling, 
queue management, and 
resource reservation. 





ther inspection with- 

out installing additional 
equipment. In terms of any suspi- 
cious traffic patterns, the control- 
ler generates alerts and instructs the 
SDN switches to block the source. 


SDN Traffic Management 
There has been a dramatic increase 
in the network load since people 
began working remotely, and count- 
less students rely on remote learning. 
Hence, automated policy-based traf- 
fic management is more critical than 
ever to address the surge of band- 
width demand. In general, there are 
different types of applications that 
consume high amounts of band- 
width. Thus, fair access to critical 
services is an absolute requirement. 
For example, real-time appli- 
cations, such as voice over Inter- 
net Protocol, are more sensitive to 
delay. In contrast, other applica- 
tions, including video conferencing, 





SSS æ 


commonly applied in the traditional 
network, which faces many difficul- 
ties in guaranteeing the QoS for dif- 
ferent applications. For example, 
applying a strict QoS can consume 
bandwidth overprovisioning. 
There are particular network 
protocols, such as integrated ser- 
vices and differentiated services, 
that are mainly used to establish the 
QoS in networks. However, these 
methods are not flexible enough. 
They require a complicated and 
expensive implementation to achi- 
eve better management, or they 
become coarse-grained in the case 
of simple deployments. Compared 
to traditional architectures, the 
SDN network’s global view facili- 
tates the configuration of the QoS 
since SDN simplifies system man- 
agement through the efficient use 
of resources. SDN can control and 
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Figure 2. The network topology. 
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They can configure dif- 

ferent routing algo- 
rithms with the help of OpenFlow 
instead of using the typical short- 
est path to improve QoS-motivated 
routing. SDNs can predict future 
behaviors, and they enable very 
low-level counters, such as per queue, 
per table, per port, per meter, and 
per packet, enabling operators to 


monitor network dynamics.” 


DDoS Attack Case Study 
The new architecture of SDN (ie., 
decoupling the data plane from the 
control plane) creates DDoS attack 
surfaces that did not exist in con- 
ventional networks.!? However, the 
SDN controller becomes a single 
point of failure and a prime target 
for attackers to exploit. An attacker 
can bring down an entire network 
or disrupt its regular operation by 
attacking the controller. There- 
fore, it is essential to understand 
and investigate these attacks’ 
potential impact from the bad 
actors perspective. 

This section provides an experi- 
ment studying DDoS attacks’ effects 
and their consequences on the SDN 
controller's load and throughput. 
The experiment was performed 
using the Mininet simulator tool 
and the OpenDaylight controller 
platform. They were installed on 
separate virtual machines. The simu- 
lation network topology is depicted 
in Figure 2. The system under test 
consists of a set of hosts attached to 
OpenFlow switches in a tree topol- 
ogy. The command that was used to 
create the network topology is: 
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sudo mn -topo tree,2 -mac - 
controller=remote,ip=192.16 
8.239.128,port=6633 -switch 
ovs,protocols=OpenFlow13. 


Here, hosts hl, h2, and h3 are 
attackers, and their objective is to 
generate a maximum workload for 
the controller. A maximum load 
is produced by creating an enor- 
mous number of requests. As a 
result, many OpenFlow 
packet-in messages are 
being sent to the con- 
troller and eventually 
consume its computing 
resources. H4 acts as 
a simple HTTP server 
that will listen on port 
80. The simple HTTP 
server can be established by run- 
ning the following command on the 
h4 terminal: 


python -m SimpleHTTPServer 
80. 


Hping3 tool is used to flood the 
victim server and send the attack 
packets. The experiment test is 
measured for 60 s, and the DDoS 
flooding attacks last for 10 s. 

Figure 3 shows the CPU load 
of the SDN controller. The net- 
work throughput upon executing 
the flooding attack is illustrated in 
Figure 4. It can be seen that there 
is a significant increase in the CPU 
load due to the flooding attacks, as 
a function of the attack packet rate. 
Before the attack, the controller 
load and the network throughput 
are low because there are only a few 
communications between the con- 
troller and the OpenFlow switches. 
During the attack, the controller is 
flooded with many requests, rais- 
ing the throughput and eventu- 
ally exhausting and plunging the 
controller. The overall conclusion 
is that an attacker controlling a 
few hosts can completely exhaust 
the network resources or degrade 
the systems performance if many 
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attack flows are directed to the SDN 
controller. Therefore, enhancing 
the security of the controller is an 
essential issue in the SDN system. 


T he COVID-19 pandemic has 
had a massive impact on Inter- 
net usage. The global SDN mar- 
ket expects to achieve significant 
growth to keep pace with the rising 


SDN also provides features that are 
useful for automated decision making 


during new and unexpected events. 





traffic levels. SDN brings flexibility 
to network infrastructure, unlike 
traditional systems. It transforms 
today’s network into flexible and 
programmable platforms by isolat- 
ing logical intelligence from system 
devices. Such features enable a bet- 
ter response to network changes, 
whether they stem from increased 
legitimate user access or DDoS 
attacks. SDN also provides features 


that are useful for automated deci- 
sion making during new and un- 
expected events. This flexibility 
facilitates real-time responses to 
changing network conditions. SDN, 
however, is not perfect. 

An SDN controller is a single 
point of failure from which an 
attacker can manipulate an entire 
network. In case an attacker gains 
access to the SDN controller, he 
or she can drop or redi- 
rect all incoming traf- 
fic. In the worst case, an 
attacker can start a new 
assault against other 
targets. Furthermore, 
the SDN controller is 
susceptible to DDoS 
attacks. All unmatched 
traffic by SDN switches is forwarded 
to the controller for further process- 
ing. An attacker can generate use- 
less traffic to deplete the controller's 
resources or cause packets latency. 

Data plane devices are also vul- 
nerable to DDoS attacks. Since the 
data switches have a limited buf- 
fer size and a restricted flow table, 
an attacker can flood a network 


with large payload packets to fill 
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Figure 4. The network throughput before and after DDoS flooding attacks. MiB: 


mebibyte; GiB: gibibyte. 
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the buffer. A full buffer may cause a 
delay and even a drop in legitimate 
traffic. The communication chan- 
nel between the control plane and 
the data plane can also be a target 
for man-in-the-middle attacks. This 
type of attack can modify or change 
the flow packets between the data 
and control planes, which enables 
an attacker to gain unauthorized 
access to the network devices. Even 
with the potential risks, SDNs facil- 
itate rapid responses to the chang- 
ing network conditions that we 
observed in 2020. m 
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